From e78ad74b2be076ac4aeb64ebf096cfcc141d66a6 Mon Sep 17 00:00:00 2001 From: Jooyung Han Date: Mon, 11 Sep 2023 13:40:52 +0900 Subject: [PATCH] Run apex_sepolicy_tests for all installed APEXes This is to check if unknown file context labels are used in APEX. The reason why this is done in Makefile is to cover vendor-specific SE policy and prebuilt APEXes. Note that there's already a validation check when building APEXes (in Soong), which only checks the generic rules, not vendor-specific. Bug: 299391194 Test: atest apex_sepolicy_tests_test Test: m Change-Id: I4378b7530e8433d2bf188db95cb5bf791e3bf778 --- core/Makefile | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/core/Makefile b/core/Makefile index 82545de216..8184af05fa 100644 --- a/core/Makefile +++ b/core/Makefile @@ -4929,6 +4929,50 @@ INTERNAL_ALLIMAGES_FILES := \ $(INTERNAL_SYSTEM_DLKMIMAGE_FILES) \ $(INTERNAL_PVMFWIMAGE_FILES) \ +# ----------------------------------------------------------------- +# Run apex_sepolicy_tests for all installed APEXes + +ifeq (,$(TARGET_BUILD_UNBUNDLED)) +intermediate := $(call intermediates-dir-for,PACKAGING,apex_sepolicy_tests) +apex_dirs := \ + $(TARGET_OUT)/apex/% \ + $(TARGET_OUT_SYSTEM_EXT)/apex/% \ + $(TARGET_OUT_VENDOR)/apex/% \ + $(TARGET_OUT_PRODUCT)/apex/% \ + +apex_files := $(sort $(filter $(apex_dirs), $(INTERNAL_ALLIMAGES_FILES))) +apex_dirs := + +# $1: apex file +# $2: output file +define _run_apex_sepolicy_tests +$2: $1 \ + $(HOST_OUT_EXECUTABLES)/apex_sepolicy_tests \ + $(HOST_OUT_EXECUTABLES)/deapexer \ + $(HOST_OUT_EXECUTABLES)/debugfs_static + @rm -rf $$@ + @mkdir -p $(dir $$@) + $(HOST_OUT_EXECUTABLES)/apex_sepolicy_tests --all -f <($(HOST_OUT_EXECUTABLES)/deapexer --debugfs_path $(HOST_OUT_EXECUTABLES)/debugfs_static list -Z $$<) + @touch $$@ +endef + +# $1: apex file list +define run_apex_sepolicy_tests +$(foreach apex_file,$1, \ + $(eval passfile := $(patsubst $(PRODUCT_OUT)/%,$(intermediate)/%.pass,$(apex_file))) \ + $(eval $(call _run_apex_sepolicy_tests,$(apex_file),$(passfile))) \ + $(passfile)) +endef + +.PHONY: run_apex_sepolicy_tests +run_apex_sepolicy_tests: $(call run_apex_sepolicy_tests,$(apex_files)) + +droid_targets: run_apex_sepolicy_tests + +apex_files := +intermediate := +endif # TARGET_BUILD_UNBUNDLED + # ----------------------------------------------------------------- # Check VINTF of build